Share this story

Active attacks targeting a critical vulnerability in older versions of Microsoft's Internet Explorer browser have been carried out by an experienced gang of hackers. And over the past four years, the group has penetrated the defenses of Google and dozens of other companies using similar zero-day exploits.

The latest attack, which works against current IE versions of 6, 7, and 8, was found late last month on the CFR.org and Capstoneturbine.com, according to a variety of researchers (including Eric Romang and those from the FireEye Malware Research Lab). Such "watering hole" attacks get their name because they attempt to plant drive-by exploits into sites frequented by the people the attackers hope to infect, similar to a hunter targeting its prey as it drinks water.

According to a report issued late last week by researchers from antivirus provider Symantec, the attackers are none other than the Elderwood Gang. That's the same group that used a potent zero-day vulnerability in IE in 2010 to breach the defenses of Google and 34 other companies. As Ars reported in September, Elderwood operatives have since wielded a seemingly unlimited number of previously unknown exploits, mainly in an espionage campaign aimed at collecting source code, engineering blueprints, and other forms of intellectual property.

"It has become clear that the group behind the Elderwood Project continues to produce new zero-day vulnerabilities for use in watering hold attacks and we expect them to continue to do so in the new year," the Symantec researchers wrote in their most recent report. The number of infected machines remains limited, indicating that the attack is highly targeted.

Besides a steady stream of reliable attacks that exploit previously unknown vulnerabilities in IE and other widely used software packages, the Elderwood hackers exhibit other signs of above-average sophistication. The attacks set a cookie on the PC of each potential victim to ensure it's exposed to the code only once. That helps keep the campaign stealthy. The latest exploit also conceals malicious payloads in image files that are unique to each attack, measures that also make it hard for researchers to uncover the campaign.

The number of victims affected, the duration of the campaign, and the difficulty of identifying and reliably exploiting zero-day vulnerabilities indicate the hackers are likely backed by a large criminal organization or a nation state itself. At least that's what Symantec researchers have concluded, though some independent researchers have disagreed with that assessment.

Another testament to the effectiveness of the Elderwood gang is the duration of attacks. Romang has found signs the compromise of the CFR.org has been active since at least December 7, a full three weeks earlier than many other researchers suspected. The Capstone Turbine website may have been compromised since the middle of September, when it appears to have been used to exploit a separate vulnerability. The findings reinforce conclusions drawn from a recent Symantec report that zero-day attacks are more common and last longer than many security researchers previously thought.

Avoiding these types of attacks can be challenging, since they target people visiting legitimate websites and rarely provide any visible sign that something is amiss. That's especially true in the early stages of an attack, before AV packages detect the exploits.

In the current attack, the easiest way to prevent attacks is to use versions 9 or 10 of IE, or to use a different browser altogether. Those who can't upgrade to one of those versions should install a one-click fixit app that Microsoft has made available pending the release of a final security update.